CN102473221A - Unauthorized process detection method and unauthorized process detection system - Google Patents

Unauthorized process detection method and unauthorized process detection system Download PDF

Info

Publication number
CN102473221A
CN102473221A CN2010800342244A CN201080034224A CN102473221A CN 102473221 A CN102473221 A CN 102473221A CN 2010800342244 A CN2010800342244 A CN 2010800342244A CN 201080034224 A CN201080034224 A CN 201080034224A CN 102473221 A CN102473221 A CN 102473221A
Authority
CN
China
Prior art keywords
communication
terminal
illegal
carried out
activity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010800342244A
Other languages
Chinese (zh)
Inventor
鬼头哲郎
川口信隆
大河内一弥
仲小路博史
重本伦宏
川口龙之进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of CN102473221A publication Critical patent/CN102473221A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided is a system whereby information on activities obtained by way of monitoring system access to input and output devices and storage devices in a terminal as well as information on activities executed by way of a terminal and obtained by way of monitoring communications through a network are associated with processes in the terminal that generated the activities, and if the activities are predetermined activities executed by the same or related processes, the system detects that unauthorized processes are running on the terminal.

Description

Illegal process detection method and illegal process detection system
Introduce through reference: the application advocates that Japan equals into the japanese patent application laid of submitting to 21 years (2009) September 1 and is willing to 2009-201794 number right of priority, and this content in first to file is introduced the application through reference.
Technical field
The present invention relates to be used to detect the method and system of illegal process (process), this illegal process has computer virus that carries out unlawful activities via network etc.
Background technology
As to via one of countermeasure of the illegal invasion of network, can enumerate out the network-type intruding detection system.As the technology relevant, on the books in patent documentation 1 with the network-type intruding detection system.In patent documentation 1, invasion detecting device is kept watch on the communication via network, the bag that flows is analyzed, and judged whether by illegal invasion.In addition, under being judged as, communicating and countermeasure such as block by the situation of illegal invasion.
Detect the technology that whether has the terminal of having infected computer virus in network internal as application network type intruding detection system, on the books in patent documentation 2 and non-patent literature 1.In the technology of patent documentation 2 record, come the detection of execute exception communication based on supervision result via the communication of network.Detecting under the situation of exceptional communication, to the feature mode of terminal notice exceptional communication, the terminal judges whether carried out unusual communication in the past through comparing with the feature mode of communicating by letter that self carries out.In addition, in the technology of non-patent literature 1 record, keep watch on communication,, detect the terminal of carrying out suspicious activity through setting up association by a plurality of network activitys that a station terminal carries out via network.
The prior art document
Patent documentation
Patent documentation 1: TOHKEMY 2002-73433
Patent documentation 2: TOHKEMY 2008-278272
Non-patent literature
Non-patent literature 1: " BotHunter:Detecting Malware Infection Through IDS-Driven Dialog Correlation ", Guofei Gu, Phillip Porras, Vinod Yegneswaran, Marth Fong and Wenke Lee, Proceedings of 16th USENIX Security Symposium, pp.167-182,2007.
Invent technical matters to be solved
In recent years, a kind of computer virus that is called as corpse virus (BOT) has become very serious problem.Corpse virus at user's terminal (computing machine) enterprising action do, carry out unlawful activities according to instruction from the assailant at long-range place via network.Have in the unlawful activities of corpse virus: with the fragility of software is that target is carried out attack activity, made and the transmission of the attack of service, spam can't be provided and will infect confidential information in the terminal of corpse virus to the outside transmission etc.
The fragility that computer viruses such as worm-type virus different from the past, corpse virus might not be leaveed no choice but with software is that target is attacked.In the technology of patent documentation 1, patent documentation 2 records; There is following problem:, can not transmission, the confidential information of spam be detected to the such unlawful activities of the transmission of outside though can be that the attack that comprises abnormal data that target is carried out detects to fragility with software.This is because the for example transmission of spam is not to send the action make software to produce unusual such data, but is sent out via the step identical with surface mail.
In addition; In the technology of non-patent literature 1 record; Have following problem: in a plurality of network activitys (sending the session communication that carries out with IRC (Internet Relay Chat) based on mail) less than through illegal process etc. but under the situation of carrying out normally, be suspicious terminal with normal terminal erroneous detection.Like this, in the abnormality detection of having used intruding detection system in the past, be difficult to and detect with normal behaviour area branch according to the unlawful activities of regular procedure.
Summary of the invention
The technological means that is used for the technical solution problem
As implied above; It is difficult detecting illegal process through the activity in the monitoring network only; Therefore in the present invention, the activity of the process in the monitoring terminal or the activity of the process in the network or both, foundation between the identifier of this activity and this process is related; Come activity is gathered through identical process or relevant process group, thereby judge and whether carrying out unlawful activities.
At this, so-called two processes are relevant to be meant, when recursively backstepping went out to generate the process (female process) of each process, there was common process in both.
Concrete mode of the present invention is as follows.Terminal and communication monitoring device and illegal process decision maker are connected with internal network.Memory access in the monitoring terminal or to the visit of memory storage and input media etc. (below be called system's visit), the activity that will obtain through the supervision of system's visit and the process in the terminal are set up related, and notify to illegal process decision maker.In addition, the communication that monitoring terminal is carried out in the communication monitoring device, the activity that will obtain through the supervision of communication is related with the process foundation in the terminal, and notice is given illegal process decision maker.Whether the activity that in illegal process decision maker, comes with reference to notice is to carry out through identical or relevant process according to the activity of satisfying rated condition, and whether judge has illegal process in activity in said terminal.
The invention effect
According to the present invention, only can detect through keeping watch on the activity of the illegal process that the communication carried out via network is difficult to detect.
Description of drawings
Fig. 1 shows the structure example of illegal process detection system.
Fig. 2 shows the hardware configuration example of each device that constitutes illegal process detection system.
Fig. 3 shows the software configuration example of each device that constitutes illegal process detection system.
Fig. 4 shows the structure example of progress information database.
Fig. 5 shows the structure example of system monitoring result database.
Fig. 6 shows the structure example of communication monitoring result database.
Fig. 7 shows the structure example of decision plan.
Fig. 8 shows the treatment scheme example of system monitoring portion.
Fig. 9 shows the treatment scheme example of communication monitoring portion.
Figure 10 shows the treatment scheme example that portion is set up in the progress information association.
Figure 11 shows the treatment scheme example of illegal process detection unit.
Figure 12 shows the software configuration example at the terminal among the embodiment 2.
Embodiment
Below, use description of drawings embodiment of the present invention.In addition, following explanation only illustrates embodiment of the present invention, but does not limit structure of the present invention and function etc.
Embodiment 1
Fig. 1 shows the structure example of the illegal process detection system 100 of present embodiment.Illegal process detection system 100 possesses terminal 101, communication monitoring device 102, illegal process decision maker 103, and these each several parts connect through internal network 104.Also be connected with not shown terminal or communicator etc. on the internal network 104.Communication monitoring device 102 also is connected with the external network 105 of the Internet etc.
In Fig. 1; Communication monitoring device 102 is set to communicate between internal network 104 and external network 105 via communication monitoring device 102; But communication monitoring device 102 the position that the position is not limited to Fig. 1 is set, as long as be arranged on can monitors internal network 104 with external network 105 between the position of communicating by letter.
What Fig. 2 showed this illegal process detection system respectively installs 101,102,103 hardware configuration example.In fact the hardware that constitutes each device have same apparatus structure, decides action separately through the software of being carried out by each arithmetic unit.
Terminal 101 is signal conditioning packages, is the terminals such as PC that the user holds.Terminal 101 possesses: input medias such as communicators such as memory storage 213, network interface card 214, keyboard or mouse 215 and LCD display device 216 such as (Liquid Crystal Display) such as arithmetic unit 211, storer 212, hard disk.Arithmetic unit 211 is carried out the program of in memory storage 213, preserving, and carries out the control of each one.Memory storage 213 is preserved the program of arithmetic unit 211 execution and the data of arithmetic unit 211 uses etc.Communicator 214 receives data and sends arithmetic unit 211 to from other devices via network 104, and, the data that arithmetic unit 211 generates are sent to other devices via network 104.Arithmetic unit 211 control input device 215, display device 216, from input media 215 input data, and with data to display device 216 outputs.Preserve program in the memory storage 213, program is written into storer 212 from memory storage 213, is carried out by arithmetic unit 211.Terminal 101 is written into these programs and carry out from memory storage 213; But, also can be that the recording mediums such as Magnetooptic recording medium, tape-shaped medium's, magnetic recording media or semiconductor memory such as optical record medium, MO from CD, DVD etc. are written into this program as other examples.In addition, as other examples, also can be to be written into these programs via communication media from other devices.So-called communication media is meant, network, digital signal or the carrier wave perhaps in this network, propagated.
Communication monitoring device 2 possesses: display device 227 such as input medias such as communicators such as memory storage 223, network interface card 224 and 225, keyboard or mouse 226 such as arithmetic unit 221, storer 222, hard disk and LCD.Illegal process decision maker 103 possesses: display device 236 such as input medias such as communicators such as memory storage 233, network interface card 234, keyboard or mouse 235 such as arithmetic unit 231, storer 232, hard disk and LCD.Action as the hardware of communication monitoring device 102 and illegal process decision maker 103 is dependent on the action at terminal 101.
Fig. 3 shows the software configuration example of the terminal 101, communication monitoring device 102 and the illegal process decision maker 103 that constitute illegal process detection system 100.
In the present embodiment, come sense terminals 101 just in the illegal process of internal actions through illegal process detection system 100.Terminal 101 has: data transmit-receive portion 311, and receive and send messages between the internal network 104; Process 312 in internal actions; System monitoring portion 313, the visit of 312 pairs of memory storages 213 of monitoring process or input media 215 etc.; Portion 314 is set up in the progress information association, will set up related via the communication and the process with between the internal network 4 of data transmit-receive portion 311; System monitoring result notification portion 315 sends the supervision result of system monitoring portion 313 to illegal process decision maker 103; And progress information database 316, preserve the information that expression has generated the mother-child relationship (MCR) of which process to process, which process in the terminal 101.
Process 312 is the instances (instance) when being kept at random procedure in memory storage 213 grades and in terminal 101, carrying out, carry out via data transmit-receive portion 311 and the transmitting-receiving of the information between the internal network 4, to the visit of storer 212 or input media 215 etc., or above-mentioned both.To be called system's visit by the visit that process 312 is carried out, will be called with the information transmit-receive between the internal network 4 and communicate by letter memory storage such as storer 212, input media 215 and input-output unit.Monitored object in the present embodiment is these system's visit and communications.
Fig. 4 shows an example of progress information database 316.Progress information database 316 is made up of Process identifier 401, female Process identifier 402.Process identifier 401 is the identifiers that are used for confirming the process in the terminal 101.Female Process identifier 402 is the identifiers that generated the process (female process) of the represented process of Process identifier 401.
Returning Fig. 3 describes.Communication monitoring device 102 has: data transmit-receive portion 321, and receive and send messages between the internal network 104; Data transmit-receive portion 322, and receive and send messages between the external network 105; Communication monitoring portion 323, the information of keeping watch on communication between internal network 104 and external network 105; And communication monitoring result notification portion 324, the supervision result of communication monitoring portion 323 is sent to illegal process decision maker 103.
Illegal process decision maker 103 has: data transmit-receive portion 331, and receive and send messages between the internal network 104; System monitoring is acceptance division 332 as a result, receives from the terminal system monitoring result that 101 system monitoring result notification portion 315 notices are come via data transmit-receive portion 331; Communication monitoring is acceptance division 333 as a result, receives the communication monitoring result who comes from communication monitoring result notification portion 324 notices of communication monitoring device 102 via data transmit-receive portion 331; System monitoring result database 334 stores the system monitoring result who receives; Communication monitoring result database 335 stores the communication monitoring result who receives; Decision plan (policy) 336, be used for to unlawful activities (below, as the term that is assumed to computer virus etc. and to use illegal " activity ", unlawful activities are illegal " processing " or " actions " that the execution of illegal process is followed.Equally, the execution of regular process " processing " or " action " followed also is " activity ".) stipulate; Illegal process detection unit 337, comparison system is kept watch on the content of result database 334, communication monitoring result database 335 and decision plan 336, thereby judges whether the process of in terminal 101, moving is illegal process; And result of determination notice portion 338, based on the result of determination that obtains by illegal process detection unit 337, notification alert.
An example of system monitoring result database 334 has been shown among Fig. 5.System monitoring result database 334 is made up of terminal identifier 501, Process identifier 502, association process identifier list 503, activity description 504.Terminal identifier 501 is the identifiers of terminals of having carried out by the 313 detected activities of system monitoring portion.Process identifier 502 is the identifiers that carried out by the process in the terminal 101 313 detected activities of system monitoring portion, that confirmed by terminal identifier 501.Association process identifier list 503 is like the identifier of the process (female process) that generates the process of being confirmed by Process identifier 502, generates the identifier of process of this mother's process, recursively obtains female process and the tabulation of the Process identifier that obtains from Process identifier 502.Below, do not mentioning with Reference numeral under the situation of " association process identifier list " that expression is recursively obtained its female process and the tabulation of the Process identifier that obtains to certain process.Activity description 504 is the information of expression by system monitoring portion 313 detected activity descriptions.
An example of communication monitoring result database 335 has been shown among Fig. 6.Communication monitoring result database 335 is made up of terminal identifier 601, Process identifier 602, association process identifier list 603, messaging parameter 604, Content of Communication 605.Terminal identifier 601 is the identifiers that detected movable terminal 101 by communication monitoring portion 323.Process identifier 602 is through detected the identifier of the process in the movable terminal identifier 601 determined terminals 101 by communication monitoring portion 323.Association process identifier list 603 is like the identifier of the process (female process) that generates the process of being confirmed by Process identifier 602, generates the identifier of process of this mother's process, recursively obtains female process and the tabulation of the Process identifier that obtains from Process identifier 602.Messaging parameter 604 is the parameters by the 323 detected communications of communication monitoring portion, is made up of agreement 606, the source IP that posts a letter (Internet Protocol) address 607, the source port number 608 of posting a letter, transmission IP address, destination 609, transmission destination port numbers 610.Content of Communication 605 is by communication monitoring portion 323 detected Content of Communication (communications category).
An example of decision plan 336 has been shown among Fig. 7.Decision plan 336 is made up of decision condition supervision the results list 701, result of determination 702.It is the tabulations as the supervision result of the condition that should satisfy in order in illegal process detection unit 337, to judge the activity of illegal process that decision condition is kept watch on the results list 701.Decision condition is kept watch on the results list 701 and is made up of one or more supervision results 703, and each is kept watch on result 703 and is made up of classification (category) 704 and content 705.It is detected by system monitoring portion 313 that result 703 is kept watch in classification 704 expressions, still detected by communication monitoring portion 323, and content 705 expressions are by the content of system monitoring portion 313 or the 323 detected activities of communication monitoring portion.Result of determination 702 is the result of determination that under the situation that the supervision result that decision condition supervision the results list 701 is comprised all satisfies condition, obtain from illegal process detection unit 33.
About information registration, do not stipulate in the present embodiment to decision plan 336.As the example of information registration, have as network manager and through that manually login, existing antivirus software etc., visit the example that external site is downloaded information of being logined etc. termly.
Action to illegal process detection system 100 describes.Processes 312 in the terminal 101 are kept at the data write in storer 212, the memory storage 213, and to the visit (these are referred to as system's visit) of input media 215, display device 216.In system monitoring portion 313, keep watch on the system's visit in the terminal 101 of being undertaken by process 312, confirm whether to exist the process of carrying out suspicious activity.In the present embodiment; The process of the object that system monitoring portion 313 is kept watch on is whole processes of action in terminal 101; But also can apply restriction to the process that becomes monitored object with only being made as specific process by system monitoring portion 313 as the process of monitored object or only being made as by the process of particular user starting etc.
An example of the processing flow chart of system monitoring portion 313 has been shown among Fig. 8.After 313 startings of system monitoring portion, carry out the starting of process and the supervision (step 801) of system's visit.If detect the starting of process or system's visit (step 802) of being undertaken by any process, then confirm whether be the detection (step 803) of process starting.
Under the situation of detection that is the process starting, the identifier (step 804) of obtaining the identifier of the process that detects starting and generating the process (female process) of this process.The identifier of process and the identifier of female process utilize the function of OS (Operating System) to obtain, and perhaps obtain through the reading of privileged site of the storer 212 in the terminal 101.
The Process identifier of being obtained and female Process identifier are logined in progress information database 316 (step 805), be back to step 801, proceed to keep watch on.Have in the process in terminal 101 obviously is not under the situation of process (regular process) of illegal process; Can be the time to 316 logins of progress information database; Process is carried out filtration treatment, to avoid the login of the Process identifier consistent or female Process identifier in progress information database 316 with the Process identifier of regular process.
In step 803, under the situation of detection that is system's visit, confirm the content (step 806) of this system's visit, in step 807, judging whether will be with this system's visit to illegal process detection unit 337 notice (step 807).
System monitoring access its contents to determine, for example, such as "P2P file-swapping software environment node type information flow prevention function proposal" (Author: Matsuoka Masaaki, pine Takahiro, Terada really sensitive, Kito Tetsuro, secondary roads Hiroshi, from " Information Processing Society of Computer Security Research Report Vol.2008? No.71? pp.115-122, 2008. ") described by monitoring file access terminal 101 to perform a specific folder on access to testing, or as "based terminal operation monitoring information leakage virus detection methods research" (Author: Kito Tetsuro, pine Takahiro, Matsuoka Masaaki, secondary roads Hiroshi, Terada really sensitive, from "Information Processing Society of Computer Security Research Research Vol.2008? No.71? pp.317-322, 2008. ") described, any process by monitoring function calls to the OS to carry out a predetermined combination of function calls of the detection performed by the same process and so on.
In step 807, be judged as under the situation of not reporting system visit, be back to step 801, proceed the supervision of system's visit.Under the situation that is judged as the reporting system visit, obtain the identifier (step 808) of the process of having carried out this system's visit, obtain the associated process identifier list (step 809) of the process that is obtained from progress information database 316.The reading of the privileged site of the process of having carried out system's visit through the storer 212 at terminal 101 confirmed.Sometimes also reading as function of such storer provided by OS.Calling system is kept watch on result notification portion 315 (steps 810); Keep watch on result's (identifier of process (result of step 808), association process identifier list (result of step 809), activity description (result of step 806)) to illegal process decision maker 103 reporting systems; Be back to step 801, proceed the supervision of system's visit.
Process 312 also communicates via data transmit-receive portion 311 except carrying out system's visit.Progress information association in terminal 101 is set up in the portion 314, keeps watch on the communication of being undertaken by process 312 via data transmit-receive portion 311, sets up related with messaging parameter process.It is the software that has information with the function of the parameter foundation association of communicating by letter of process that portion 314 is set up in the progress information association; The communication monitoring portion 323 that is provided at communication monitoring device 102 detects under the situation of communication, and the process that can confirm to implement this communication is the information of what process.
The progress information association has been shown among Fig. 9 has set up an example of the processing flow chart of portion 314.The transmission (step 901) that the bag that carries out via data transmit-receive portion 311 is kept watch on by portion 314 is set up in the progress information association.If detect the transmission (step 902) of bag, then temporarily stop the transmission (step 903) of this bag, confirm whether the bag that is sent out is IP bag (step 904).Under the situation that is not the IP bag, should wrap transmission (step 908) via data transmit-receive portion 311, be back to step 901, proceed to keep watch on.
At the bag that is sent out is under the situation of IP bag, obtains the identifier (step 905) of the process of attempting to send this bag, obtains the association process identifier list (step 906) of the process that is obtained from progress information database 316.Want to attempt to send the process of bag and utilize the function of OS to obtain, perhaps the privileged site through the storer 212 in the terminal 101 read confirm.The identifier and the association process identifier list of the process that is obtained are embedded in this bag (step 907), send and embedded the identifier of process and the bag (step 908) of association process identifier list, be back to step 901, proceed to keep watch on.
In step 907, the process identifier, etc., such as "P2P file-swapping software environment information flow measures tectonic studies" (author: Terada really sensitive, Kito Tetsuro, secondary roads Hiroshi, pine Takahiro, Matsuoka Masaaki, from "Information Processing Society of Japan Computer Security Research Report Vol.2008No.21? pp.243-248, 2008. ") as described in the embedded IP packet optional fields (option? field) in.
Through embedding progress information, under the situation that has detected communication by communication monitoring portion 323, can not rely on other information, and, confirmed to carry out the process of this communication through specific part (for example Optional Field) with reference to bag to the IP bag.
As progress information association set up in the portion 314 will communicate by letter and process is set up other corresponding examples, can be, when executive communication, corresponding between record communication parameter in advance and the Process identifier, and notify to the communication monitoring device in predetermined timing.
Process 312 in terminal 101 has been sent to external network 105 under the situation of bag, and this bag is from communication monitoring device 102 processes.In the communication monitoring portion 323 in communication monitoring device 102, keep watch on the bag from communication monitoring device 102 processes, which type of communication the communication of confirming the bag of process is.
An example of the processing flow chart of communication monitoring portion 323 has been shown among Figure 10.The communication (step 1001) of process in communication monitoring device 102 is kept watch on by communication monitoring portion 323.If detect communication (step 1002), then confirm the activity description (step 1003) of this communication, judge whether that notice should activity (step 1004).
Activity description for example uses patent documentation 1 to put down in writing the method in such existing intruding detection system, perhaps confirms based on the IP address or the port numbers of the bag of wanting process.
In step 1004, be judged as under the situation of not carrying out notifying, be back to step 1001, proceed to keep watch on.In step 1004, be judged as under the situation about notifying, obtain the information (step 1005) relevant with the process of having carried out this communication.
The obtaining of the information relevant with process in the step 1005, being obtaining of Process identifier and association process identifier list, is to change with the corresponding mode of setting up between the process according to the communication that the process context at terminal 101 is set up in the portion 314.As stated, set up in the portion 314 at process context the IP bag has been embedded under the situation of Process identifier and association process identifier list, be embedded into the information in the bag, obtain Process identifier and association process identifier list through extraction.
Calling communication is kept watch on result notification portion 324 (steps 1006); Keep watch on result (having carried out identifier, association process identifier list, the Content of Communication of the process of communication) to illegal process decision maker 103 notifying communication; Be back to step 1001, the supervision of proceeding to communicate by letter.
The communication monitoring portion 323 detected information relevant with activity in system monitoring portion 313 in the terminal 101 and the communication monitoring device 102 are sent out to illegal process decision maker 103 through system monitoring result notification portion 315 and communication monitoring result notification portion 324 respectively.In system monitoring as a result in the acceptance division 332, receive from the terminal the 101 system monitoring results that send here, and, call this system monitoring result as parameter to the system monitoring result that 334 recorders of system monitoring result database are arrived, call illegal process detection unit 337.At communication monitoring as a result in the acceptance division 333; The communication monitoring result that reception is sent from communication monitoring device 102; To the communication monitoring result that 335 recorders of communication monitoring result database are arrived, call this communication monitoring result as parameter, call illegal process detection unit 337.In illegal process detection unit 337; Based on the information of the supervision result who is endowed as parameter, preservation in system monitoring result database 334, communication monitoring result database 335 and decision plan 336, judge whether illegal process is arranged in terminal 101 in activity.
An example of the processing flow chart of illegal process detection unit 337 has been shown among Figure 11.Illegal process detection unit 337 is obtained as parameter and is transmitted next supervision result (step 1101).Being transmitted the supervision result who comes as parameter is certain of system monitoring result and communication monitoring result, below both are generically and collectively referred to as the supervision result handle.Extract terminal identifier (step 1102) from the supervision result who is obtained.Reference system is kept watch on result database 334 (step 1103), confirms whether to exist the system monitoring result (step 1104) with terminal identifier identical with the terminal identifier of extraction in the step 1102.In system monitoring result database 334, exist under the system monitoring result's with terminal identifier identical situation, advance to step 1105, under non-existent situation, advance to step 1107 with the terminal identifier that extracts.Whether affirmation system monitoring result among the system monitoring result with terminal identifier identical with the terminal identifier that extracts, that be correlated with the supervision result who is obtained be present in the system monitoring result database 334 (step 1105).In system monitoring result database 334, exist under the system monitoring result's relevant situation, obtain relevant system monitoring result (step 1106) with the supervision result who extracts.Certain is kept watch on result and other system supervision the result is relevant and is meant; Certain supervision Process identifier that the result comprised or certain Process identifier of in the association process identifier list, putting down in writing are kept watch on the Process identifier that the result comprised with other system or certain Process identifier of in the association process identifier list, putting down in writing is consistent.
With reference to communication monitoring result database 335 (step 1107), confirm whether to exist have with step 1102 in the communication monitoring result (step 1108) of the identical terminal identifier of the terminal identifier that extracts.In communication monitoring result database 335, exist under the communication monitoring result's with terminal identifier identical situation, advance to step 1109, under non-existent situation, get into step 1011 with the terminal identifier that extracts.Whether affirmation exists the communication monitoring result (step 1109) who is correlated with the supervision result who is obtained among the communication monitoring result with terminal identifier identical with the terminal identifier that extracts.In communication monitoring result database 335, exist under the communication monitoring result's relevant situation, obtain relevant communication monitoring result (step 1110) with the supervision result who is obtained.Certain keeps watch on result's implication relevant with other communication monitorings result as stated.
With reference to decision plan (step 1111); According to the supervision result who in step 1101, obtains, the system monitoring result who in step 1106, obtains and the communication monitoring result that in step 1110, obtains, confirm whether to exist the strategy (step 1112) that all satisfies decision condition.Processing flow chart to Figure 11 is simplified; Therefore; If the affirmation object of description of step 1112 simply; That is to say, to whether have that the strategy that all satisfies decision condition confirms to as if, obtain through step 1106 with step 1101 in the relevant system monitoring of the supervision result that obtains as a result the time and obtaining through step 1110 with step 1101 in the supervision result that the obtains communication monitoring of being correlated with supervision result as a result the time, that in step 1101, obtain.That is, be with step 1101 in the relevant supervision result of the supervision result that obtains Already in situation in system monitoring result database 334 or the communication monitoring result database 335 be object.End process under the situation that does not have corresponding strategy.Under the situation that has corresponding strategy; Be judged to be and carrying out movable (step 1113) by illegal process; Call result of determination notice portion 338 (steps 1114); With the supervision outcome record that obtains in the step 1101 in system monitoring result database 334 or communication monitoring result database 335, end process.
If called result of determination notice portion 338 by illegal process detection unit 337; Then result of determination notice portion 338 will represent to have in the terminal 101 message and the Process identifier that be judged as illegal process of illegal process in activity, and notice is given terminal 101, or the not shown communication control unit or the tissue of managing internal network 104 by way of caution.
Terminal 101 is if receive warning, then take to make be judged as that illegal process stops and/or the blocking-up process to measures such as the visit of system or communications, suppress the activity of illegal process thus.In addition, as except measure, the starting after execute file of forbidding this illegal process is arranged, under the situation that the process of the execute file of this illegal process also exists in addition, stop this process etc. taking the measure of process itself.
If communication control unit receives warning, then control the communication that is judged as illegal process among communication that illegal process carries out at the terminal 101 of activity or the communication of being undertaken by terminal 101 by being judged as.At this, so-called control is meant, communication block, be with territory restriction, route diversion etc.When the communication control unit of carrying out this control is connected from terminal 101 access external network 105 on the path of process, the perhaps function of built-in communication control unit in communication monitoring device 102.
If the tissue that internal network 104 is managed receives warning; Then send warning, send warning, send warning etc. to communication control unit to terminal in addition, the terminal that is connected with internal network 104 101 to being judged as the movable terminal of illegal process 101, enforcement improves the countermeasure of network overall security.
In the present embodiment, used terminal 101, communication monitoring device 102, illegal process decision maker 103 these 3 devices, still, also can be, terminal 101 or communication monitoring device 102 be double does illegal process decision maker 103, is the system that is made up of 2 devices.Under the double situation of doing illegal process decision maker 103 in terminal 101; Need not make system monitoring result notification portion 315 and system monitoring as a result acceptance division 332 be connected via network, from system monitoring result notification portion 315 directly to system monitoring as a result acceptance division 332 reporting systems keep watch on the result.Equally; Under the double situation of doing illegal process decision maker 103 of communication monitoring device 102; Need not make communication monitoring result notification portion 324 and communication monitoring as a result acceptance division 333 be connected via network, from communication monitoring result notification portion 324 directly to communication monitoring as a result acceptance division 333 notifying communication keep watch on the result.
In addition, also can be the terminal 101 double communication monitoring devices 102 of doing.In this case, the communication of the object that communication monitoring portion 323 is kept watch on is not internal network 104 with external network 105 between communicate by letter but the communication that 101 pairs of internal networks in terminal 104 carry out.In addition; In this case; The progress information association set up in the step 907 that portion 314 need not carry out Fig. 9 with the embedding of Process identifier and association process identifier list to the IP bag; But, make that can carry out reference when communication monitoring portion 323 obtains Process identifier and association process identifier list in the step 1005 of Figure 10 gets final product with corresponding the remaining in advance in storer or the memory storage between Process identifier and association process identifier list and the messaging parameter.
In addition; In the present embodiment; In information, include and carried out movable Process identifier and association process identifier list thereof, still, also can not comprise the association process identifier list in the information of notice by system monitoring result notification portion 315 and communication monitoring result notification portion 324 notices.In this case; Be kept at the information the progress information database 316 from terminal 101 to illegal process decision maker 103 notices; Acceptance division 332 and communication monitoring are obtained the association process identifier list according to the information of preserving in the progress information database 316 as a result in the acceptance division 333 as a result in the system monitoring of illegal process decision maker 103.
According to present embodiment, the movable and activity that obtains through the supervision of communicating by letter that utilizes Process identifier to obtain through the supervision of system is set up related, can detect the movable situation of illegal process.
[embodiment 2]
As the technology that gets most of the attention in recent years, the technology that is known as virtual machine monitor is arranged.Virtual machine monitor is the software that 101 so enterprising action of signal conditioning package are done at the terminal, makes and the same virtual machine action of using in actual terminal.Virtual machine is owing to be to do (moving under the control of virtual machine at virtual machine monitor) in the enterprising action of virtual machine monitor; So; Virtual machine monitor can be kept watch on the state of the virtual machine that just on virtual machine monitor, is moving through with reference to the storer of self managing.In illegal process such as corpse virus, exist to have detection keeping watch on and keeping watch on ineffective treatment in the terminal function, still, the virtual machine through using virtual machine monitor moving from the illegal process of exterior monitoring makes that supervision can not being disabled.
The terminal that shows user's utilization in the present embodiment is the example of the situation of virtual machine.Difference between present embodiment and the embodiment 1 is the software configuration at terminal 101.About the content identical, omit explanation with embodiment 1.
Figure 12 shows the software configuration at the terminal 101 in the present embodiment.Terminal 101 is connected with internal network 104, and in terminal 101, virtual machine monitor 1201 moves, and virtual machine 1202 is also in work.The hardware configuration of virtual machine 1202 is identical with the terminal 101 of embodiment 1, possesses arithmetic unit, storer, memory storage, communicator, input media, display device (only illustrating a part).The process 1203 of activity in virtual machine 1202; The same with the process 312 among the embodiment 1, carry out via data transmit-receive portion 1204 with the communicating by letter of internal network 104, to the visit of storer 1205 or memory storage 1206, input media 1207, display device 1208 etc.This visit is called system's visit.
In the present embodiment; On virtual machine monitor 1201; Except having virtual machine 1202, also have with internal network 10 between related portion 1211, system monitoring result notification portion 1212 and the progress information database 1213 set up of data transmit-receive portion 1209, system monitoring portion 1210, progress information of transceive data.In system monitoring portion 1210, from system's visit that the exterior monitoring process 1203 of virtual machine 1202 is carried out in virtual machine 1202 inside.Set up in the portion 1211 in the progress information association,, that the processes in the virtual machine 1202 are related with the messaging parameter foundation of the communication that monitors from the exterior monitoring of virtual machine 1202 from the communication of virtual machine 1202 to internal network 104.System monitoring result notification portion 1212 will send to illegal process decision maker 103 via data transmit-receive portion 1209 by the supervision result that system monitoring portion 1210 obtains.Progress information database 1213 is preserved the Process identifier of this process and the Process identifier of the process (female process) of this process of generation to the process in the virtual machine 1202.
The processing of system monitoring portion 1210 is except from the inner systems' visit of the exterior monitoring virtual machine of virtual machine 1,202 1202, is identical with the processing of system monitoring portion 313 in embodiment illustrated in fig. 81.In addition, likewise, the processing that portion 1211 is set up in the progress information association is except obtaining from the outside of virtual machine 1202 information of process, is identical with the related processing of setting up portion 314 of progress information in embodiment illustrated in fig. 91.Likewise; The action of the system monitoring result notification portion 315 among the action of system monitoring result notification portion 1212 and the embodiment 1 is identical, and the structure of the progress information database 316 in the structure of progress information database 1213 and embodiment illustrated in fig. 41 is identical.
According to present embodiment, through keep watch on virtual machine 1202 inside from the outside of virtual machine 1202, can not receive illegal process influence ground such as fail-safe software ineffective treatment is kept watch on, also can detect for the so abominable illegal process of obstruction terminal monitors.
Description of drawings
100: illegal process detection system; 101: the terminal; 102: the communication monitoring device; 103: illegal process decision maker; 104: internal network; 105: external network; 313: system monitoring portion; 314: portion is set up in the progress information association; 315: system monitoring result notification portion; 316: the progress information database; 323: communication monitoring portion; 324: communication monitoring result notification portion; 332: system monitoring is acceptance division as a result; 333: communication monitoring is acceptance division as a result; 334: the system monitoring result database; 335: the communication monitoring result database; 336: decision plan; 337: illegal process detection unit; 338: result of determination notice portion.

Claims (11)

1. illegal process detection method, be detect with terminal that network is connected in illegal process detection method in the illegal process detection system of the illegal process of moving, it is characterized in that,
Said illegal process detection system,
Visit execution, that the memory storage and the input-output unit at said terminal carried out that supervision is accompanied by the process in the said terminal is system's visit; To obtain through the supervision of said system visit, as the processing of said process first movable with carried out the said first movable said process and set up related; And be recorded in the system monitoring result database
Supervision is accompanied by communication execution, that carry out via said network of the said process in the said terminal; To obtain through the supervision of said communication, as the processing of said process second movable with carried out the said second movable said process and set up related; And be recorded in the communication monitoring result database
Whether judgement has recorded identical with said first and second movable at least one sides in said system monitoring result database or said communication monitoring result database and has been the activity of the process identical or relevant with the said process of carrying out; When being judged as the said activity of having write down and satisfying the defined terms that is predetermined, the said process that is judged to be execution is illegal process.
2. illegal process detection method as claimed in claim 1 is characterized in that,
The process relevant with the process of having carried out said activity is meant; With the process of having carried out said activity as first process; With said relevant process as second process; In said first process with through the female process that generates said first process recursively being carried out first process list that backstepping obtains and said second process and through the female process that generates said second process recursively being carried out there is common process in second process list that backstepping obtains.
3. illegal process detection method as claimed in claim 1 is characterized in that,
Said terminal embeds the information that the process of this communication has been carried out in expression in the IP of the communication of carrying out via said network bag,
Said illegal process detection system is in the supervision of said communication; Extract the information of the said process in the said IP bag that is embedded in accordingly with said second activity, the said process that the said information of extracting is represented is as the process of having carried out said second activity.
4. illegal process detection method as claimed in claim 1 is characterized in that,
Said illegal process detection system is the judgement of illegal process according to the process of in said terminal, having carried out said activity, the output warning.
5. illegal process detection method as claimed in claim 1 is characterized in that,
At said terminal is under the situation of virtual machine; Virtual machine monitor to said virtual machine is controlled is kept watch on the said system visit in the said virtual machine, sets up related with the said progress information of having carried out said first activity said first activity in the said virtual machine.
6. illegal process detection system is the illegal process detection system that is connected with in the network of terminal, communication monitoring device and illegal process decision maker, it is characterized in that, comprising:
The terminal; Supervision is accompanied by the execution of process and is system's visit to the visit that memory storage and input-output unit carry out; To obtain through the supervision of said system visit, as the processing of said process first movable with carried out the said first movable said process and set up related; And keep watch on the result as visit and notify, in the communication of carrying out via network, include the information that the said process of this communication has been carried out in expression;
The communication monitoring device; Be connected with said terminal via said network; The information of the said process of expression that comprises in the said communication that extraction is carried out via said network; Keep watch on said communication, second activity that will obtain through the supervision of said communication is related with the said process foundation of extracting, and notifies as the communication monitoring result; And
Illegal process decision maker; Be connected with said communication monitoring device with said terminal; Have and record that the result is kept watch in notice is come from said terminal said visit and the said communication monitoring result's that comes from said communication monitoring device notice database; Keep watch on said first or said second activity that result or said communication monitoring device included in said visit and satisfy rated condition; And as by with said first or said second activity set up activation record that the identical or relevant process of related said process carries out in said database the time, be judged to be illegal process activity in said terminal.
7. illegal process detection system as claimed in claim 6 is characterized in that,
Said terminal records is represented the information of the mother-child relationship (MCR) of said process; When result's notice is kept watch in said visit; To comprise said process and to notify according to the mode that said process is recursively carried out the process list that backstepping obtains to female process; In communication, also include according to said process female process is recursively carried out the process list that backstepping obtains said communication monitoring device
Said communication monitoring device also includes said process list when said communication monitoring result's notice.
8. illegal process detection system as claimed in claim 6 is characterized in that,
The process relevant with the process of having carried out said activity is meant; With the process of having carried out said activity as first process; With said relevant process as second process; First process list that recursively carries out backstepping in said first process with to the female process that generates said first process and obtain and said second process and the female process that generates said second process recursively carried out backstepping and in second process list that obtains, have common process.
9. illegal process detection system as claimed in claim 6 is characterized in that,
Said terminal as the information of the said process of expression, embeds the identifier of said process in the IP of the communication of carrying out via said network bag.
10. illegal process detection system as claimed in claim 6 is characterized in that,
Said illegal process decision maker is according to the movable judgement of illegal process in said terminal, output warning.
11. illegal process detection system as claimed in claim 6 is characterized in that,
Said process is carried out by virtual machine in said terminal; Keep watch on the said system visit of said terminal inner; Said first activity that will obtain through the supervision of said visit is set up related with the said first movable said process of having carried out and is notified to said illegal process decision maker; Carry out by said terminal via the communication of said network in embed the information that the said process of this communication has been carried out in expression, and possess the virtual machine monitor that said virtual machine is controlled.
CN2010800342244A 2009-09-01 2010-06-07 Unauthorized process detection method and unauthorized process detection system Pending CN102473221A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2009201794A JP2011053893A (en) 2009-09-01 2009-09-01 Illicit process detection method and illicit process detection system
JP2009-201794 2009-09-01
PCT/JP2010/003782 WO2011027496A1 (en) 2009-09-01 2010-06-07 Unauthorized process detection method and unauthorized process detection system

Publications (1)

Publication Number Publication Date
CN102473221A true CN102473221A (en) 2012-05-23

Family

ID=43649055

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010800342244A Pending CN102473221A (en) 2009-09-01 2010-06-07 Unauthorized process detection method and unauthorized process detection system

Country Status (5)

Country Link
US (1) US20120192278A1 (en)
EP (1) EP2474934A1 (en)
JP (1) JP2011053893A (en)
CN (1) CN102473221A (en)
WO (1) WO2011027496A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050413A (en) * 2013-03-13 2014-09-17 腾讯科技(深圳)有限公司 Method for data processing and terminal
CN105359156A (en) * 2013-07-05 2016-02-24 日本电信电话株式会社 Unauthorized-access detection system and unauthorized-access detection method
CN105849741A (en) * 2013-12-27 2016-08-10 三菱电机株式会社 Information processing device, information processing method, and program
CN106209734A (en) * 2015-04-30 2016-12-07 阿里巴巴集团控股有限公司 The identity identifying method of process and device
CN103914332B (en) * 2014-04-14 2017-01-18 中国人民解放军国防科学技术大学 Detecting method for true course information in guest operating system of virtual machine
CN108270722A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 A kind of attack detection method and device

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5509796B2 (en) * 2009-11-02 2014-06-04 コニカミノルタ株式会社 COMMUNICATION SYSTEM, COMMUNICATION DEVICE, COMMUNICATION CONTROL METHOD, AND COMMUNICATION CONTROL PROGRAM
JP5857661B2 (en) * 2011-11-18 2016-02-10 沖電気工業株式会社 Packet processing apparatus and method
US8683592B1 (en) * 2011-12-30 2014-03-25 Emc Corporation Associating network and storage activities for forensic analysis
CN102663274B (en) * 2012-02-07 2015-12-02 北京奇虎科技有限公司 A kind of method and system detecting the behavior of long-range invasion computing machine
KR101414959B1 (en) * 2012-02-29 2014-07-09 주식회사 팬택 A detecting method of a network attack and a mobile terminal detecting a network attack
KR101212497B1 (en) * 2012-05-02 2012-12-14 주식회사 팀스톤 Method of monitoring resource and apparatus performing the same
US20140259171A1 (en) * 2013-03-11 2014-09-11 Spikes, Inc. Tunable intrusion prevention with forensic analysis
US9413781B2 (en) 2013-03-15 2016-08-09 Fireeye, Inc. System and method employing structured intelligence to verify and contain threats at endpoints
JP5750497B2 (en) * 2013-12-11 2015-07-22 株式会社アイキュエス Access control device, program, and access control system
US9378367B2 (en) * 2014-03-31 2016-06-28 Symantec Corporation Systems and methods for identifying a source of a suspect event
US10049233B2 (en) * 2014-10-09 2018-08-14 Canon Denshi Kabushiki Kaisha Information processing apparatus, security management method and information processing system that switches from one monitoring unit to another in accordance with operating mode
CN104376261B (en) * 2014-11-27 2017-04-05 南京大学 A kind of method of the automatic detection malicious process under evidence obtaining scene
WO2016113911A1 (en) * 2015-01-16 2016-07-21 三菱電機株式会社 Data assessment device, data assessment method, and program
WO2017019391A1 (en) * 2015-07-24 2017-02-02 Nec Laboratories America, Inc. Graph-based intrusion detection using process traces
RU2634173C1 (en) 2016-06-24 2017-10-24 Акционерное общество "Лаборатория Касперского" System and detecting method of remote administration application
US20170374076A1 (en) * 2016-06-28 2017-12-28 Viewpost Ip Holdings, Llc Systems and methods for detecting fraudulent system activity
JP2018200641A (en) * 2017-05-29 2018-12-20 富士通株式会社 Abnormality detection program, abnormality detection method, and information processing apparatus
US10503899B2 (en) 2017-07-10 2019-12-10 Centripetal Networks, Inc. Cyberanalysis workflow acceleration
JP7206980B2 (en) * 2019-02-07 2023-01-18 日本電気株式会社 COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL METHOD AND COMMUNICATION CONTROL PROGRAM
KR102355556B1 (en) * 2019-12-27 2022-01-26 주식회사 안랩 Malicious diagnosis device and malicious diagnosis method using procedure call
WO2024180636A1 (en) * 2023-02-27 2024-09-06 日本電信電話株式会社 Collection device, collection method, and collection program

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040148281A1 (en) * 2000-06-15 2004-07-29 International Business Machines Corporation Virus checking and reporting for computer database search results
US20050120242A1 (en) * 2000-05-28 2005-06-02 Yaron Mayer System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
CN1801031A (en) * 2004-12-31 2006-07-12 福建东方微点信息安全有限责任公司 Method for judging whether a know program has been attacked by employing program behavior knowledge base
US20060242694A1 (en) * 2004-11-08 2006-10-26 Jeffrey Gold Mitigation and mitigation management of attacks in networked systems
US20080022281A1 (en) * 2006-07-19 2008-01-24 Microsoft Corporation Trusted communications with child processes
US20090044265A1 (en) * 2007-03-29 2009-02-12 Ghosh Anup K Attack Resistant Continuous Network Service Trustworthiness Controller
CN100490388C (en) * 2005-08-24 2009-05-20 上海浦东软件园信息技术有限公司 Invading detection method and system based on procedure action

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002073433A (en) 2000-08-28 2002-03-12 Mitsubishi Electric Corp Break-in detecting device and illegal break-in measures management system and break-in detecting method
JP3892322B2 (en) * 2002-03-04 2007-03-14 三菱電機株式会社 Unauthorized access route analysis system and unauthorized access route analysis method
JP2005227982A (en) * 2004-02-12 2005-08-25 Nippon Telegr & Teleph Corp <Ntt> Network system equipped with security monitoring function, log data analysis terminal and information terminal
JP4327698B2 (en) * 2004-10-19 2009-09-09 富士通株式会社 Network type virus activity detection program, processing method and system
US7712143B2 (en) * 2006-09-27 2010-05-04 Blue Ridge Networks, Inc. Trusted enclave for a computer system
JP2008278272A (en) 2007-04-27 2008-11-13 Kddi Corp Electronic system, electronic equipment, central apparatus, program, and recording medium
JP4938576B2 (en) * 2007-07-24 2012-05-23 日本電信電話株式会社 Information collection system and information collection method
US8776218B2 (en) * 2009-07-21 2014-07-08 Sophos Limited Behavioral-based host intrusion prevention system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050120242A1 (en) * 2000-05-28 2005-06-02 Yaron Mayer System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
US20040148281A1 (en) * 2000-06-15 2004-07-29 International Business Machines Corporation Virus checking and reporting for computer database search results
US20060242694A1 (en) * 2004-11-08 2006-10-26 Jeffrey Gold Mitigation and mitigation management of attacks in networked systems
CN1801031A (en) * 2004-12-31 2006-07-12 福建东方微点信息安全有限责任公司 Method for judging whether a know program has been attacked by employing program behavior knowledge base
CN100490388C (en) * 2005-08-24 2009-05-20 上海浦东软件园信息技术有限公司 Invading detection method and system based on procedure action
US20080022281A1 (en) * 2006-07-19 2008-01-24 Microsoft Corporation Trusted communications with child processes
US20090044265A1 (en) * 2007-03-29 2009-02-12 Ghosh Anup K Attack Resistant Continuous Network Service Trustworthiness Controller

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050413A (en) * 2013-03-13 2014-09-17 腾讯科技(深圳)有限公司 Method for data processing and terminal
CN105359156A (en) * 2013-07-05 2016-02-24 日本电信电话株式会社 Unauthorized-access detection system and unauthorized-access detection method
CN105359156B (en) * 2013-07-05 2018-06-12 日本电信电话株式会社 Unauthorized access detecting system and unauthorized access detection method
US10142343B2 (en) 2013-07-05 2018-11-27 Nippon Telegraph And Telephone Corporation Unauthorized access detecting system and unauthorized access detecting method
CN105849741A (en) * 2013-12-27 2016-08-10 三菱电机株式会社 Information processing device, information processing method, and program
CN103914332B (en) * 2014-04-14 2017-01-18 中国人民解放军国防科学技术大学 Detecting method for true course information in guest operating system of virtual machine
CN106209734A (en) * 2015-04-30 2016-12-07 阿里巴巴集团控股有限公司 The identity identifying method of process and device
CN106209734B (en) * 2015-04-30 2019-07-19 阿里巴巴集团控股有限公司 The identity identifying method and device of process
US11146554B2 (en) 2015-04-30 2021-10-12 Alibaba Group Holding Limited System, method, and apparatus for secure identity authentication
CN108270722A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 A kind of attack detection method and device

Also Published As

Publication number Publication date
EP2474934A1 (en) 2012-07-11
US20120192278A1 (en) 2012-07-26
WO2011027496A1 (en) 2011-03-10
JP2011053893A (en) 2011-03-17

Similar Documents

Publication Publication Date Title
CN102473221A (en) Unauthorized process detection method and unauthorized process detection system
US11546371B2 (en) System and method for determining actions to counter a cyber attack on computing devices based on attack vectors
US10616269B2 (en) Using reputation to avoid false malware detections
US9882920B2 (en) Cross-user correlation for detecting server-side multi-target intrusion
US9680849B2 (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
US9838405B1 (en) Systems and methods for determining types of malware infections on computing devices
US11848947B2 (en) System and method for providing security to in-vehicle network
US8479267B2 (en) System and method for identifying unauthorized endpoints
US9426179B2 (en) Protecting sensitive information from a secure data store
CN109845227B (en) Method and system for network security
US20100212010A1 (en) Systems and methods that detect sensitive data leakages from applications
US20110078497A1 (en) Automated recovery from a security event
US9934378B1 (en) Systems and methods for filtering log files
JP6267089B2 (en) Virus detection system and method
US20160335433A1 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
EP3767913A1 (en) Systems and methods for correlating events to detect an information security incident
US11399036B2 (en) Systems and methods for correlating events to detect an information security incident
CN108959917A (en) A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection
US10169575B1 (en) Systems and methods for preventing internal network attacks
WO2020190293A1 (en) Replayable hacktraps for intruder capture with reduced impact on false positives
CN112637217B (en) Active defense method and device of cloud computing system based on bait generation
Hassan et al. Extraction of malware iocs and ttps mapping with coas
Alzahrani et al. A Comprehensive SMS-Based Intrusion Detection Framework
Alzahrani An SMS-based mobile botnet detection framework using intelligent agents
CN117992951A (en) Advanced wooden horse real-time detection method and system based on DMA

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120523